Bug 539489 - SELinux is preventing polkit-grant-he (polkit_grant_t) "read" initrc_t.
Summary: SELinux is preventing polkit-grant-he (polkit_grant_t) "read" initrc_t.
Keywords:
Status: CLOSED DUPLICATE of bug 538428
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:9c90591e691...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-20 11:18 UTC by Christoph Wickert
Modified: 2009-11-20 12:01 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-20 12:01:42 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Christoph Wickert 2009-11-20 11:18:55 UTC 
Zusammenfassung:

SELinux is preventing polkit-grant-he (polkit_grant_t) "read" initrc_t.

Detaillierte Beschreibung:

[SELinux ist im Permissive-Modus. Dieser Zugriff wurde nicht verweigert.]

SELinux denied access requested by polkit-grant-he. It is not expected that this
access is required by polkit-grant-he and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Zugriff erlauben:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:polkit_grant_t:s0-s0:c0.c1023
Zielkontext                   system_u:system_r:initrc_t:s0
Zielobjekte                   exe [ lnk_file ]
Quelle                        polkit-grant-he
Quellen-Pfad                  /usr/libexec/polkit-grant-helper
Port                          <Unbekannt>
Host                          (removed)
Quellen-RPM-Pakete            PolicyKit-0.9-6.fc11
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.6.12-86.fc11
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Hostname                      (removed)
Plattform                     Linux (removed) 2.6.30.9-96.fc11.x86_64
                              #1 SMP Wed Nov 4 00:02:04 EST 2009 x86_64 x86_64
Anzahl der Alarme             9
Zuerst gesehen                Mo 09 Nov 2009 23:13:34 CET
Zuletzt gesehen               Mi 18 Nov 2009 18:38:33 CET
Lokale ID                     3d0b8158-b09f-4cdb-bae9-c4d59729f801
Zeilennummern                 

Raw-Audit-Meldungen           

node=(removed) type=AVC msg=audit(1258565913.532:40): avc:  denied  { read } for  pid=4036 comm="polkit-grant-he" name="exe" dev=proc ino=34842 scontext=system_u:system_r:polkit_grant_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=lnk_file

node=(removed) type=SYSCALL msg=audit(1258565913.532:40): arch=c000003e syscall=89 success=yes exit=15 a0=7fffcc44ed90 a1=7fffcc44eea0 a2=fff a3=18 items=0 ppid=4035 pid=4036 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=87 sgid=87 fsgid=87 tty=(none) ses=1 comm="polkit-grant-he" exe="/usr/libexec/polkit-grant-helper" subj=system_u:system_r:polkit_grant_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.12-86.fc11,catchall,polkit-grant-he,polkit_grant_t,initrc_t,lnk_file,read
audit2allow suggests:

#============= polkit_grant_t ==============
allow polkit_grant_t initrc_t:lnk_file read;
Comment 1 Miroslav Grepl 2009-11-20 12:01:42 UTC 
You report F11 policy bug on an F12 machine. Please complete the update.

*** This bug has been marked as a duplicate of bug 538428 ***
Note You need to log in before you can comment on or make changes to this bug.